Process for Assessing Risk

Assessing risk is a process and as such, is something that must be periodically repeated. It's really not much different from the automated patch-management tools you are probably using. True security requires ongoing effort. There is never a wrong time to assess risk and examine network vulnerabilities. There are three key points at which assessments should be considered:

  1. When a new program is developed, a risk analysis should be performed to establish the security state of the system. An analysis performed early on like this helps establish whether security problems exist. This is beneficial when new code or applications are developed for which problems can be found and fixed early on.
  2. An analysis of risk should be performed whenever changes are made to systems, processes, or programs. A risk analysis performed during this time is instrumental in uncovering vulnerabilities that occur as a possible side effect from the change.
  3. A vulnerability assessment should be performed periodically to examine the controls that have been implemented. It's also advisable anytime there has been a breach in security, an intrusion, or an attack. At this point, the assessment is critical because it can help uncover how the breach occurred and discover what problem in policy or system vulnerability allowed the event to occur.

Note

In Chapter 4, "Risk Assessment Methodologies," you learn more about the methodologies that can be used to assess and analyze risk.

What is important to note at this point is why developing a risk assessment process is so important. A primary reason is to show due care and due diligence. Other reasons include the following:

  • Maintain customer confidence.
  • Protect confidentiality.
  • Prevent inappropriate disclosure.
  • Ensure the integrity of the organization's informational assets.
  • Ensure that the organization's resources are not misused or wasted.
  • Comply with state, provincial, and federal laws and regulations.
  • Avoid a hostile workplace atmosphere.

Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template



Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net